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CLAIMS 



A method for analyzing a logfile produced by a computer network security 
^ syste^ comprising: 

\^ providing a regular expression query associated with a pattern to be 
searched for in the logfile; and 

\sing the query to search for the pattern in the logfile. 



10 



2. The method recited in claim 1 ? wherein the pattern is associated with a possible 
sgid exploit. 

3. The method as recited ua claim 2, wherein using the query to search for the pattern 
includes searching for entries showing that a process has been started with effective 
group ID equal to zero. 



1 5 4. The method as recited in claim 3, wherein using the query to search for the pattern 
further includes storing a process ID of the process, and searching for processes with a 
parent process ID equal to the stored process ID. 



5. The method as recited in claim 1, wherein the patten^ is associated with a possible 
20 suid exploit. 
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The method as recited in claim 5 5 wherein using the query to search for the pattern 
inMudes searching for entries showing that a process has been started with effective user 
ID equal to zero. 

\ 

7. Theymethod as recited in claim 6, wherein using the query to search for the pattern 
further includes storing a process ID of the process, and searching for processes with a 
parent process IDvequal to the stored process ID. 

8. The method as recited in claim 2, wherein the pattern is associated with processes 
spawned by a shell. 



Gi 
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9. The method as recited inYlaim 8, wherein using the query to search for the pattern 
includes searching for entries showmg that the shell has started a process, storing a 
process ID of the process, and searching for entries showing processes with parent 
process ID equal to the stored process ID. 



20 



10. The method as recited in claim 2, wherein\the pattern is associated with user 
keystrokes, and the method further comprises aggregating the user keystrokes found in 
the logfile. 

1 1 . The method as recited in claim 10, wherein the found uW keystrokes are 
aggregated upon finding a keystroke representing a newline character. 
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1*2. The method as recited in claim 1 1 , further comprising presenting the aggregated 
keystrokes to a second user. 

\ ' 

13. The method as recited in claim 2, wherein the pattern is associated with screen 
5 output characters, and the method further comprises aggregating the screen output 
characters fouhd in the logfile. 



14. The method a^recited in claim 13, wherein the found screen output characters are 
aggregated upon findin&a screen output character representing a newline character. 
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15. The method as recitec^n claim 14, further comprising presenting the aggregated 
keystrokes to a second user. \^ 

\ 
\ 

16. The method as recited in claiirk 1, wherein the pattern is associated with files to be 

15 monitored. \ 

\ 
\ 

\ 

17. The method as recited in claim 2, whefcein using the query to search for the pattern 

includes searching for entries showing that a monitored file has been accessed. 

\ 



20 18. The method as recited in claim 17, further comprising indicating to a second user 
a filename of the accessed monitored file. 

\ 
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19\ The method as recited in claim 17, further comprising indicating to a second user 
a process ID of a process that accessed the monitored file. 

20. The^method as recited in claim 19, further comprising automatically searching for 
5 the process IDun the logfile. 



2 1 . The method\s recited in claim 2, wherein using the query to search for the pattern 
includes searching for Entries showing that an attempt has been made to access a 
monitored file. 

10 

22. A method for providingysecurity for a computer network, comprising: 

generating contenrsets for a computer associated with the network; 
determining whethena user should be routed to the generated content sets; 
selecting one of the content sets if it is determined that the user should be 
15 routed to the generated content serts; 



routing the user to the selected generated content set; 
producing a logfile of at least apportion of the user's activity with respect 
to the computer; and 



a^o 
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using at least one regular expression query to analyze the logfile. 



V. 

23. The method as recited in claim 22, further comp^smg associating each generated 
content set with a virtual computer. 



\ 
\ 
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24; The method as recited in claim 23, wherein selecting one of the content sets 
includes choosing a content set associated with a virtual computer requested to be 
accesseaby the user. 



5 25. The m^hod as recited in claim 24, wherein producing the logfile includes storing 
information regarding the user's activity with respect to the selected content set and 
associated virtual conrouter. 

26. The method as recited in claim 25, wherein the computer is running on a Solaris 
10 operating system. 
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27. A system for analyzing a logfile produced by a computer network security 
system, comprising: 

a storage including a regular expression query associated with a pattern to 
be searched for in the logfile; and 

a processor configured to use th\query to search for the pattern in the 

logfile. 



28. The system as recited in claim 27, wherein the pa^ern is associated with a 
20 possible sgid exploit. 
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29. The system as recited in claim 28, wherein the processor is further configured to 
search for entries showing that a process has been started with effective group ID equal to 



zero. 



30. The sykem as recited in claim 29, wherein the processor is further configured to 
store a process IErof the process, and search for processes with a parent process ID equal 
to the stored process 



31. The system as recite\in claim 27, wherein the pattern is associated with a 
1 0 possible suid exploit. 

32. The system as recited in claim, 3 1 , wherein the processor is further configured to 
search for entries showing that a proces\has been started with effective user ED equal to 



15 



zero. 



33. The system as recited in claim 32, wherein the processor is further configured to 
store a process ID of the process, and search for processes with a parent process ID equal 
to the stored process ID. 



20 34. A system for providing security for a computer network, comprising: 

a computer configured to generate content for t\e computer, wherein the 
computer is associated with the network; 
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a network device configured to determine whether a user should be routed 
to the generated content and to route the user to the generated content if it is 
determined that the user should be routed to the generated content; 

a^logging mechanism configured to produce a logfile of at least a portion 
of the user's activities with respect to the generated content; and 

a storage including a regular expression query usable by the computer to 

\ 

search the logfile for a pattern associated with the regular expression query. 



35. A computer program product for analyzing a logfile produced by a computer 
10 network security system, comprising a computer usable medium having machine 
readable code embodied therein for 

providing a regular expression query associated with a pattern to be 
searched for in the logfile; and^ 



using the query to search for the pattern in the logfile. 



36. A computer program product for provming security for a computer network, 
comprising a computer usable medium having machine readable code embodied therein 
for 

generating content sets for a computer Associated with the network; 
20 determining whether a user should be roured to the generated content sets; 

selecting one of the content sets if it is determined that the user should be 
routed to the generated content sets; 

routing the user to the selected generated content £et; 
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